Sign nextest's binary releases

[sunshowers]

It would be really nice to have a way for us to sign nextest's binary releases to ensure they're authentic.

[taiki-e]

FYI, I'm working on supporting signing in upload-rust-binary-action, and here is a draft implementation of signing with PGP: taiki-e/upload-rust-binary-action#40 (comment)

[sunshowers]

Thanks, this is awesome! Any plans to support Sigstore?

[taiki-e]

Sorry for the late reply, Sigstore has been included in the list since taiki-e/upload-rust-binary-action#40 was first opened.

Do you have any concrete requests as to what format you want to sign, or what files you want to sign?

[sunshowers]

Thanks @taiki-e -- ideally the release task would run cosign sign-blob using an identity from GitHub Actions: https://docs.sigstore.dev/cosign/signing_with_blobs. Then, the cosign.bundle (appropriately named) would be uploaded along with the artifact. To verify the signature, users or automated tooling could download the cosign bundle and verify it that way.

It would also be great to work with @NobodyXu and the binstall folks to align on a strategy where binstall checks signatures.

[sunshowers]

(I think another option is to use OCI to store artifacts in addition to GitHub Releases: https://docs.sigstore.dev/cosign/signing_with_blobs/#blobs-in-oci-registries)

[sunshowers]

I wrote a comment on cargo-bins/cargo-binstall#1 discussing this.